IE, Firefox Share Vulnerability

Internet Explorer 7 and Firefox 2.0 share a logic flaw. The issue is actually more severe, as the two versions of the Microsoft and Mozilla browsers are not the only ones affected. In this regard, the vulnerability impacts Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 7 but also Firefox 1.5.0.9. Microsoft has stressed the fact that IE7 on Windows Vista is not affected in any manner.

Don’t you know that HTML is a markup language universally known, so you can make yourself your personal rendering engine for html pages.. Would it be a reverse-engineered version of MS Internet Explorer? ….

So, it appears that using Javascript, the page is redirecting select input from the user to the file input box – and then uploading the file to the server once complete.

This doesn’t really surprise me – but I wouldn’t have thought of it

So, mitigating factors appear to be: Have an exploitable browser, have a C:boot.ini (although any file could be used for this), have administrative priveleges (so that accessing boot.ini is possible for the browser in the first place) and have Javascript enabled.

For the record, it does work on my system… but I have to type very slowly as it’s shifting focus around and has a hard time keeping up.

It’s an interesting example – the javascript engines in both IE and FF only allow the most recent keypresses to be added to a file input… I think the example is a bit more complex than it needs to be – I’m gonna have to play with this. It should be possible to simply use the return state and CSS layering to do this a LOT simpler than how this example is working.

Good point – in fact I believe I read that this problem exists on Firefox on Linux as well – allowing the upload of a file that the user has access to (i.e. /etc/passwd if the user is root) – would be interesting to see the same exploit written for that scenario

The example doesn’t work – the technique itself DOES. Theoretically you could pull any file, so long as you were able to get the user to type in ALL the characters in the filename in the order you want them... Which is why embedding this into a blog, forums or any other large text entry box could be a easy way to gather information…

The above paragraph for example, could (in theory) be used to pull info.txt from the current default browser upload directory (notice the bits in italic)

Would be interesting to see if it could be exploited by making it look like some kind of captcha.

And I would hope this is exactly what will be done with Firefox. That feature along with whitelisting support should be sufficient, and I mean jeez – how often do people upload to a website. Usually one uses just a few such sites regularly (email, photo sharing…)

Not sure about IE, Microsoft has a habit of doing stupid things to “fix” exploits.